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2 FILED 
CLERK, U.S. DISTRICT COURT 
i 12/8/2020 
4 
CENTRAL DISTRICT OF CALIFORNIA 
BY: JB DEPUTY 
5 
6 
7 
8 UNITED STATES DISTRICT COURT 
9 FOR THE CENTRAL DISTRICT OF CALIFORNIA 
10 January 2020 Grand Jury 
11 UNITED STATES OF AMERICA, CR 2:20-cr—-00614-DMG 
12 Plaintiff, INDICTMENT 
13 Vig [18 U.S.C. § 371: Conspiracy; 18 
U.S.C. § 1349: Conspiracy to 
14 JON CHANG HYOK, Commit Wire Fraud and Bank Fraud; 
aka “Quan Jiang,” 18 U.S.C. §§ 982, 1030: Criminal 
15 aka “Alex Jiang,” Forfeiture] 
KIM IL, 
16 aka “Julien Kim,” 
aka “Tony Walker,” and 
17 PARK JIN HYOK, 
aka “Jin Hyok Park,” 
18 aka “Pak Jin Hek,” 
aka “Pak Kwang Jin,” 
19 
Defendants. 
20 
21 The Grand Jury charges: 
22 INTRODUCTORY ALLEGATIONS AND DEFINITIONS 
23 At times relevant to this Indictment: 
24 [fA. The Conspiracy and Defendants 
25 Ls The Democratic People’s Republic of Korea (“DPRK”), also 
26 || known as (“aka”) North Korea, operated a military intelligence agency 
27 ||called the Reconnaissance General Bureau (“RGB”). The RGB was 
28 || headquartered in Pyongyang, DPRK, and comprised multiple units. 




























































































1 2. Defendants JON CHANG HYOK (NH4), aka “Quan Jiang,” aka 
2 || “Alex Jiang”; KIM IL (29), aka “Julien Kim,” aka “Tony Walker”; and 
3 || PARK JIN HYOK ($34), aka “Jin Hyok Park,” aka “Pak Jin Hek,” aka 
4 [ "Pak Kwang Jin” (collectively, the “defendants”), whose photographs 
5 [are attached as Exhibit A through Exhibit C, respectively, were 
6 I members of units of the RGB who knowingly and intentionally conspired 
7 I Iwith each other, and with persons known and unknown to the Grand Jury 
8 (collectively, with the defendants, referred to as the “conspirators” 
9 || and the “hackers”), to conduct criminal cyber intrusions. 
10 She The defendants and other conspirators resided in the DPRK, 
11 || but, at times during the operation of the conspiracy, traveled to and 
12 || worked from other countries -- including the People’s Republic of 
13 |}China and the Russian Federation -- while employed by units of the 
14 || RGB. The conspirators included members of units of the RGB that have 
15 || come to be known within the cyber-security community as both Lazarus 
16 || Group and Advanced Persistent Threat 38 (‘“APT38”). 
17 4. The conspirators hacked into the computers of victims to 
18 cause damage, steal data and money, and otherwise further the 
19 || strategic and financial interests of the DPRK government and its 
20 |} leader, Kim Jong Un (the “DPRK regime”). In some instances, the 
21 ||} hackers sought to cause damage through computer intrusions in 
22 || response to perceived reputational harm or to obtain information 
23 || furthering strategic interests of the DPRK regime. In many 
24 ||} instances, the hackers intended the computer intrusions to steal 
25 || currency and virtual currency (also known as “cryptocurrency”), or to 
26 || obtain it through extortion, for the benefit of the DPRK regime -- 
27 || and, at times, for their own private financial gain. The hackers 
28 || attempted to steal or extort more than $1.3 billion from victims in 
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cyber-enabled heists and Automated Teller Machine (“ATM”) cash-outs 
















































































2 [[ from banks, cyber-enabled heists from cryptocurrency companies, and 

3 || cyber-enabled extortion schemes. 

4 Jie The hackers’ victims and intended victims included 

5 || entertainment companies, financial institutions, cryptocurrency 

6 || companies (including cryptocurrency exchanges, traders, and 

7 \jmarketplaces), online casinos, cleared defense contractors, energy 

8 I utilities, and individuals. The hackers hacked and defrauded victims 
9 || around the world -- including in Bangladesh, Malta, Mexico, 

10 I Indonesia, Pakistan, the Philippines, Poland, the Republic of Korea, 
1] Slovenia, Taiwan, the United Kingdom, Vietnam, Central America, and 
12 | Africa -- as well as in the United States and, specifically, the 

13 I Central District of California. The hackers targeted victims in 

14 numerous other countries, as well, and used infrastructure and online 
15 [accounts from around the world in furtherance of the computer 

16 || intrusions, including infrastructure located in the Central District 
17 of California. 

18 6. The computer intrusions often started with fraudulent, 

19 || spear-phishing messages mails and other electronic communications 
20 || designed to make intended victims download and execute malicious 
21 ||} software (“malware”) developed by the hackers. At other times, the 
22 || spear-phishing messages would encourage intended victims to download 
23 |}or invest in a cryptocurrency-related software program created by the 
24 || hackers, which covertly contained malicious code and/or would 
25 || subsequently be updated with malicious code after the program was 
26 || downloaded (a “malicious cryptocurrency application”). To hone the 
27 || spear-phishing messages, the hackers would conduct internet research 
28 || regarding their intended victims and would send “test” spear-phishing 
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1 || messages to each other or themselves. The hackers employed false and 
2 || fraudulent personas when they sent spear-phishing messages to 
3 || victims. 
4 7. Once they gained access to a victim computer system, the 
5 || hackers would conduct research within the system, attempt to move 
6 | laterally within a computer network, and attempt to locate and 
7 |pexfiltrate sensitive and confidential information. In both revenge- 
8 and financially-motivated computer attacks, the hackers would, at 
9 [[ times, execute commands to destroy computer systems, deploy 
10 || ransomware, or otherwise render the computers of their victims 
11 inoperable. 
12 8. The hackers took steps to avoid detection and attribution 
13 || of their computer intrusions to themselves, the RGB, and the DPRK. 
14 || However, the computer infrastructure and online accounts used in the 
15 || computer intrusions, and technical similarities in the malware 
16 || employed, connected these computer intrusions with the hackers, 
17 || showing that (a) the defendants and other hackers were conspiring 
18 with one another, (b) they were members of the RGB, and (c) the 
19 || computer intrusions were part of a single hacking conspiracy. 
20 |B. The Hackers’ Targets 
21 Entertainment Companies 
22 9. Sony Pictures Entertainment Inc. ("Sony Pictures”) was an 
23 || American entertainment company, headquartered in Culver City, 
24 [[California, that produced and distributed filmed entertainment, 
25 || including the movie "The Interview,” which depicted the fictionalized 
26 ||}assassination of Kim Jong Un, whom it parodied. Sony Pictures 
27 ||maintained computer systems, including servers hosting employee data 
28 || and servers hosting intellectual property, in Los Angeles County, 
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within the Central District of California, that operated in 




































































2 Į interstate and foreign commerce. 
3 10. AMC Theatres was an American movie theater chain 
4 headquartered in Leawood, Kansas, which was set to show “The 
5 || Interview" in its theaters prior to the cyber-attack on Sony 
6 | Pictures. 
7 11. Mammoth Screen was a United Kingdom television production 
8 || company that was producing “Opposite Number,” a ten-part fictional 
9 || series about a British nuclear scientist on a covert mission who was 
10 |/taken prisoner in the DPRK. 
11 Financial Institutions and Financial Regulators 
12 12. The “African Bank” was a bank headquartered in a country in 
13 ||] Africa. 
14 13. Bangladesh Bank, the central bank of Bangladesh, was 
15 || headquartered in Dhaka, Bangladesh. 
16 14. Banco Nacional De Comercio Exterior, which is also known as 
17 || “Bancomext,” was a Mexican state-owned bank headquartered in Mexico 
18 f City, Mexico. 
19 15. The “Maltese Bank” was a bank headquartered in Malta. 
20 16. BankIslami Pakistan Limited, which is also known as 
21 “BankIslami,” was a bank headquartered in Karachi, Pakistan. 
22 17. The “New York Financial Services Company” was a financial 
23 || services company headquartered in New York, New York. 
24 18. The Polish Financial Supervision Authority was the 
25 ||} financial regulatory authority for Poland, and was based in Warsaw, 
26 || Poland. 
27 19. The “Philippine Bank” was a bank headquartered in Makati, 
28 || Philippines. 







































































1 20. Far Eastern International Bank was a bank headquartered in 
2 Taipei, Taiwan. 

3 21. The “Vietnamese Bank” was a bank headquartered in Hanoi, 

4 || Vietnam. 

5 Cryptocurrency Companies 

6 22. The “Indonesian Cryptocurrency Company” was a 

7 || cryoptocurrency exchange based in Jakarta, Indonesia. 

8 23. The “South Korean Cryptocurrency Company” was a 

9 | cryptocurrency exchange based in the Republic of Korea. 

10 24. The “Slovenian Cryptocurrency Company” was a crypto-mining 
11 || company headquartered in Ljubljana, Slovenia. 

12 Online Casino Companies 

LS 25. “Central American Online Casino 1” was an online casino 

14 || business headquartered in a Central American country. 

15 26. “Central American Online Casino 2” was an online casino 

16 || business headquartered in a Central American country. 

17 |C: Definitions 

18 27. An Internet Protocol version 4 address, also known as an 
19 “TPv4 address,” or more commonly an “IP address,” is a set of four 
20 || numbers or “octets,” each ranging from 0 to 255 and separated by a 
21 || period (“.”) that is used to route traffic on the internet. A single 
22 ||} IP address can manage internet traffic for more than one computer or 
23 ||device, such as in a workspace or when a router in one’s home routes 
24 [[traffic to one’s desktop computer, as well as one’s tablet or 
25 || smartphone, while all using the same IP address to access the 
26 || internet. 
27 28. “Malware” is malicious computer software intended to cause 
28 Ia victim computer to behave in a manner inconsistent with the 
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intention of the owner or user of the victim computer, usually 












































2 || unbeknownst to that person. The hackers developed and used numerous 
3 types of malware, including worms, ransomware, credential-stealers, 
4 |) key-lLoggers, screen-grabbers, and backdoors. 
5 29. “Brambul” is a type of “worm” malware that spreads through 
6 | self-replication by infecting new victim systems via brute force 
7 |pattacks on the victim’s Server Message Block (“SMB”) protocol. SMB 
8 lis a method that Microsoft systems use to share files on a network. 
9 [A brute force attack is a computer network attack that attempts to 
10 login to a potential victim computer, server, or account using a 
11 || predetermined list of possible username and password combinations, 
12 ||}which lists often contain thousands of common combinations of 
13 || usernames and passwords that include specific default settings used 
14 || on certain applications and devices. Upon successfully gaining 
15 |}access to a victim computer, Brambul conducts a survey of the victim 
16 |}machine and collects information, including the victim’s IP address, 
17 ||} system name, operating system, username last logged in, and last 
18 || password used. Brambul then sends that information via Simple Mail 
19 || Transfer Protocol to one or more of the email addresses (“Brambul 
20 |} collector accounts”) that are hard-coded in Brambul. 
21 30. “Ransomware” is a type of malware that infects a computer 
22 || and encrypts some or all of the data or files on the computer, and 
23 [then demands that the victim pay a ransom in order to decrypt and 
24 || recover the files, or in order to prevent the hacker from 
25 || distributing or destroying the data. 
26 31. A “watering hole” is a type of computer intrusion technique 
27 [hin which a hacker uses malware to compromise a website known to be 
28 || visited by intended victims. The malware then infects the computers 
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of intended victims (and sometimes unintended victims) who visit the 


















































2 || website, giving the hacker access to the victims’ computers and 
3 || networks. 
4 32. “Command and control” IP addresses or domains sometimes 
5 || referred to as “C2s” -- are computers with which malware communicates 
6 || to send and receive data and commands. 
7 33. A “spear-phishing” message is a tailored and personalized 
8 || email or other electronic communication designed to appear legitimate 
9 |! in order to induce the targeted recipient(s) to take a certain action 
10 |}-- such as clicking on a link, or downloading or opening a file —- 
11 || that would cause a victim’s computer to be compromised by a hacker. 
12 || Spear-phishing messages often include information that the hacker 
13 || knows about the recipient(s) based on research or other sources of 
14 |} information about the intended victim. 
15 34. “Cryptocurrency” or “virtual currency” is a digital asset 
16 || designed to work as a medium of exchange that uses cryptography to 
17 secure financial transactions, control the creation of additional 
18 || units of the currency, and verify and transfer assets. 
19 I Cryptocurrency is typically accessed using secret or private 
20 || encryption “keys” which are commonly stored using a software 
21 || “wallet.” Cryptocurrency “exchanges” are clearinghouses that allow 
22 || for the exchange between different types of cryptocurrencies, or 
23 || between cryptocurrency and fiat currency. “Crypto-mining” is a means 
24 || of generating new units of cryptocurrency. 
25 35. An “initial coin offering” or “ICO” is the cryptocurrency 
26 || equivalent of a stock’s Initial Public Offering or “IPO” —- that is, 
27 |a cryptocurrency developer’s first offer to sell a stake ina 
28 || cryptocurrency to the public. 
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2 [18 U.S.C. S 371] 
3 36. The Grand Jury re-alleges and incorporates paragraphs 1 
4 I through 35 of the Introductory Allegations and Definitions of this 
5 || Indictment. 
6 | A. OBJECTS OF THE CONSPIRACY 
7 37. Beginning on a date unknown to the Grand Jury, but no later 
8 I than September 28, 2009, and continuing through at least December 8, 
9 2020, in Los Angeles County, within the Central District of 
10 California, and elsewhere, defendants JON CHANG HYOK, KIM IL, and 
11 || PARK JIN HYOK, together with others known and tnknown to the Grand 
12 || Jury, knowingly conspired: 
13 a. to intentionally access computers without 
14 || authorization and obtain information from protected computers, in 
15 f violation of Title 18, United States Code, Section 1030(a) (2) (C), 
16 (c) (2) (B) (i)-(iii); 
17 b. to knowingly and with intent to defraud access 
18 || protected computers without authorization, and by means of such 
19 || conduct further the intended fraud and obtain a thing of value, in 
20 |}violation of Title 18, United States Code, Section 1030(a) (4), 
21 (c) (3) (A); 
22 Gu to knowingly cause the transmission of programs, 
23 information, codes, and commands, and as a result of such conduct 
24 |}intentionally cause damage without authorization to protected 
25 || computers, in violation of Title 18, United States Code, 
26 || Section 1030(a) (5) (A), (c) (4) (B) (4), (c) (4) (A) (4) (1), 
27 (c) (4) (A) (1) (VI); and 
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d; to transmit in interstate and foreign commerce, with 
the intent to extort money and other things of value, a communication 
containing (i) a threat to cause damage to a protected computer, 

(ii) a threat to impair the confidentiality of information obtained 


from a protected computer without authorization, and (iii) a demand 





and request for money and other things of value in relation to damage 





to a protected computer, where such damage was caused to facilitate 





the extortion, in violation of Title 18, United States Code, 


Section 1030 (a) (7) (A)-(C), (c) (3) (A). 





Bs MEANS BY WHICH THE OBJECTS OF THE CONSPIRACY WERE TO BE 




















ACCOMPLISHED 





38. The objects of the conspiracy were to be accomplished, in 


substance, as follows: 








Development and Dissemination of Malware 





a. The hackers would develop malware that could be 


transmitted to potential victims in order to gain unauthorized access 
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to the computer(s) of the victims. Such malware would include the 
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Brambul worm, ransomware, and other types of malware. 


b. At times, the hackers would conceal the malware within 





seemingly legitimate word processing documents or software 





applications, including programs related to cryptocurrency trading 








(i.e., malicious cryptocurrency applications), which the hackers 
would falsely and fraudulently, and through the omission of material 


facts, market as being legitimate software applications. Malicious 





cryptocurrency applications would contain, or would through a 
subsequent software update process be updated to contain, malicious 
code that would provide the hackers with unauthorized access to the 
computers of persons who downloaded the applications. 
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om At other times, the hackers would conceal the malware 





































































































2 [[within legitimate websites in order to infect victims visiting the 
3 || websites (1.6., a watering hole). 
4 d. Defendants JON CHANG HYOK, KIM IL, PARK JIN HYOK, and 
5 || other conspirators, would register and use email and social media 
6 [accounts in false and fraudulent names -- including the names of real 
7 || persons -- to use in gaining unauthorized access to victim computers, 
8 |} including to contact potential victims, send spear-phishing messages, 
9 || register other accounts used by the hackers, and/or serve as Brambul 
10 |} collector accounts. 
14 e. Hackers would use the internet to research potential 
12 || victims with whom they would attempt to communicate. 
13 És Defendants JON CHANG HYOK, KIM IL, and other 
14 || conspirators, would communicate with potential victims using false 
15 || and fraudulent names, sending spear-phishing messages or electronic 
16 || messages designed to establish a relationship with the intended 
17 ||} victim before sending a later spear-phishing message. The hackers 
18 || would communicate with individuals in a variety of sectors, including 
19 || entertainment companies, financial institutions, hundreds of 
20 || cryptocurrency companies, online casinos, cleared defens 
21 || contractors, energy utilities, technology companies, and government 
22 || agencies. 
23 Gs Defendants JON CHANG HYOK, KIM IL, and other 
24 || conspirators, would send misleading and fraudulent communications to 
25 || potential victims containing malware or directing the potential 
26 || victims to download malware, including malicious cryptocurrency 
27 applications, ransomware, and other malware. 
28 
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Biss At times, to carry out computer intrusions or 
attempted intrusions, hackers would use or access computer 


infrastructure that they had compromised through the Brambul worm or 








a watering hole. 





Destructive Cyberattacks, and Attempted Cyberattacks, 





on Entertainment Companies 





dia After malware was installed on the computer(s) of an 
intended victim entertainment company, the hackers would use the 
malware to access the computer(s) without authorization and install 
other malware. 

Je The hackers would then access the computer (s) of the 
victim entertainment company without authorization and attempt to 


access other computer systems connected to the computer(s) to steal 





confidential credentials, files, data, unreleased movies, and other 


information that could be damaging or embarrassing to the 
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entertainment company. 


k. The hackers would then install destructive malware on 





the victim entertainment company’s computers, which malware could be 


used to destroy or impair the computers and render them inoperable, 





and to conceal forensic evidence of the hackers’ unauthorized access. 





Ta After successfully installing destructive malware on 





computers of the victim entertainment company, the hackers would, at 


a later date, make threatening communications to the victim 





entertainment company using false and fraudulent personas, publicly 


disseminate the victim entertainment company’s confidential internal 
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information, and activate destructive capabilities of the malware the 
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hackers previously installed in order to destroy or impair the victim 
entertainment company’s computers and render them inoperable. 
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Bank Cyber-Enabled Heists 
























































2 m. After malware was installed on the computer(s) of an 

3 intended victim bank, the hackers would use the malware to access the 
4 || computer (s) without authorization and install other malware. 

5 Ns The hackers would access the computer(s) of the victim 
6 |} bank without authorization and attempt to move through the bank’s 

7 || network in order to access one or more computers that the victim bank 
8 I| used to send or receive messages through the Society for Worldwide 

9 | Interbank Financial Telecommunication (“SWIFT”) communication system. 
10 O; The hackers would develop and deploy malware 

11 customized to the computer network of the victim bank, in order to 

12 || send fraudulent SWIFT messages from the victim bank’s computer 

13 || system, authorizing fraudulent wire transfers to bank accounts used 
14 and controlled by the hackers, including accounts at United States 

15 I federally insured financial institutions. 

16 Pa The hackers also would develop and deploy destructive 
17 ||malware to conceal their point of access to the victim bank’s 

18 || computer network, their path through the victim bank’s computer 

19 network, and the fraudulent wire transfers. 
20 q. At times, the hackers would install, on the 
21 || computer (s), malware designed to destroy, impair, or render 
22 ||} inoperable the victim bank’s computer network or computers within the 
23 || network, and to conceal forensic evidence of the hackers’ 
24 || unauthorized access to the computer (s). 
25 Cyber-Enabled Extortions 
26 Ds After malware was installed on the computer(s) of an 
27 intended extortion victim, the hackers would use the malware to 
28 
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access the computer(s) without authorization and install other 
malware. 
Ba The hackers would then access the computer (s) of the 


extortion victim without authorization and attempt to access other 





computer systems connected to the computer (s) to steal confidential 


credentials, files, data, and other information that could be 





damaging or embarrassing to the extortion victim. 








Ea At times, the hackers would install ransomware on the 


computer (s) of the extortion victim in order to render the 





computer (s) inaccessible and inoperable. 
Ül The hackers would then communicate with the extortion 
victim, demanding a payment in a cryptocurrency, such as Bitcoin, in 


exchange for not publicly releasing the extortion victim"s files that 








had been stolen or unencrypting any computers infected by ransomware. 
Vv. The hackers would, at times, offer to tell the 


extortion victim how the hackers had accessed th xtortion victim’s 











computer(s) if additional ransom payments were made. 








w. If the extortion victim did not pay the hackers’ 
ransom demands, the hackers would threaten to -- and would in fact -- 


publicly disseminate confidential information stolen from the 








computer(s) of the extortion victim, destroy the information and not 





return a copy, or leave the computer(s) of the victim encrypted with 
ransomware. 


Cryptocurrency Heists 





Xe After malware, such as a malicious cryptocurrency 





application, was installed on the computer(s) of an intended victim 
cryptocurrency company, the hackers would use the malware to access 
the computer(s) without authorization and install other malware. 
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y. The hackers would access the computer(s) of the victim 
cryptocurrency company without authorization and attempt to move 
through the victim cryptocurrency company’s computer network in order 
to access a computer that would provide access to the victim 
cryptocurrency company’s cryptocurrency wallet(s) and private keys to 
the wallet. 


Za Once they had access to the wallet(s) and private keys 





of the victim cryptocurrency company, the hackers would fraudulently 


and without authorization transfer cryptocurrency from those wallets 





to wallets used and controlled by the hackers. 


ATM Cash-Outs 





aa. After malware was installed on the computer (s) of an 
intended victim bank, the hackers would use the malware to access the 
computer (s) without authorization and install other malware. 


bb. The hackers would access the computer(s) of the victim 





bank without authorization and attempt to move through the victim 


bank’s computer network in order to access one or more computers that 





the victim bank used to manage ATM transactions. 





cc. The hackers would develop and deploy malware 
customized to the computer network of the victim bank, in order to 
intercept ATM transaction data and cause fraudulent ATM withdrawal 
requests to be approved, which would cause a requesting ATM to 
dispense cash to money-launderer coconspirators. 


dd. The hackers also developed and deployed malware to 





conceal their point of access to the victim bank’s computer network, 
their path through the victim bank’s computer network, and the 


fraudulent ATM withdrawal requests. 





15 


j= 


N 


(09) 


A 


Oo 


Oy 


J 


oO 


WO 


ee] 


já 


N 


WW 


od 


Oo 


Oy 


J 


00 





WO 


20 


21 


22 


23 


24 


25 


26 


27 


28 


Cc. OVERT ACTS 








39. In furtherance of the conspiracy, and to accomplish its 





objects, defendants JON CHANG HYOK, KIM IL, and PARK JIN HYOK, 














together with others known and unknown to the Grand Jury, on or about 


the dates set forth below, committed and caused to be committed 





various overt acts, in the Central District of California and 





elsewhere, including, but not limited to, the following: 








Destructive Cyberattacks, and Attempted Cyberattacks, 





on Entertainment Companies 





Overt Act No. 1: Beginning on November 24, 2014, after 





sending threatening communications to Sony Pictures employees, the 
hackers initiated a destructive cyber-attack of Sony Pictures 


computers, publicly disseminated Sony Pictures’ confidential data and 








communications stolen from its computers, and made further threats 
against the company and its employees. 


Overt Act No. 2: On December 2 and 3, 2014, the hackers sent 








spear-phishing messages to AMC Theatres employees from multiple email 
accounts. 


Overt Act No. 3: At an unknown date in 2015, the hackers 





gained unauthorized access to the computers of Mammoth Screen. 





Cyber-Enabled Heists from, and Intrusions of, Banks 





Overt Act No. 4: Beginning in or around November 2015, the 








hackers gained unauthorized access to the Philippine Bank’s computer 





network, but did not succeed in making fraudulent wire transfers 





before the unauthorized access was detected and mitigated. 





Overt Act No. 5: On December 9, 2015, having gained 








unauthorized access to the Vietnamese Bank’s computer network at an 
earlier date, the hackers conducted false and fraudulent wire 
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1 Itransfers totaling approximately €2 million to bank accounts in 

2 || Slovenia and Bulgaria, and attempted to conduct fraudulent wire 

3 I| transfers of approximately $3.4 million to Russia, A$1 million to 

4 || Australia, and ¥90 million to Japan. 

5 Overt Act No. 6: On February 4, 2016, having gained 

6 || unauthorized access to Bangladesh Bank’s computer network at an 

7 \|jearlier date, the hackers attempted to conduct false and fraudulent 
8 ||}wire transfers totaling approximately $951 million, and conducted 

9 | false and fraudulent wire transfers totaling approximately 

10 |} $81 million to bank accounts in the Philippines and $20 million to a 
11 || bank account in Sri Lanka, which moneys all belonged to Bangladesh 
12 |}Bank and were held in accounts at the Federal Reserve Bank of New 

13 || York. 

14 Overt Act No. 7: On July 20, 2016, having gained unauthorized 
15 || access to the African Bank’s computer network at an earlier date, the 
16 || hackers conducted false and fraudulent wire transfers totaling 

17 || approximately $104.1 million to bank accounts in Taiwan, Thailand, 
18 |}and Cambodia. 

19 Overt Act No. 8: Beginning in or around October 2016, the 
20 || hackers gained unauthorized access to the computer network of the 
21 Polish Financial Supervision Authority and made its website into a 
22 ||}watering hole. 
23 Overt Act No. 9: On October 3, 2017, having gained 
24 || unauthorized access to Far Eastern International Bank’s computer 
25 network at an earlier date, the hackers conducted false and 
26 || fraudulent wire transfers totaling approximately $60.1 million to 
27 || bank accounts in Sri Lanka, Cambodia, and the United States. 
28 
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1 Overt Act No. 10: On January 9, 2018, having gained 
2 || unauthorized access to Bancomext’s computer network at an earlier 
3 || date, the hackers conducted false and fraudulent wire transfers 
4 I| totaling approximately $110 million to bank accounts in the Republic 
5 |}of Korea, and then deployed malware on more than 400 of Bancomext’s 
6 || computers. 
7 Overt Act No. 11: In January and February 2019, defendant KIM 
8 || IL or another hacker communicated with unindicted coconspirator 
9 || Ghaleb Alaumary regarding bank accounts that could receive false and 
10 || fraudulent wire transfers from the Maltese Bank. 
14 Overt Act No. 12: On February 12, 2019, having gained 
12 || unauthorized access to the Maltese Bank"s computer network at an 
13 || earlier date, the hackers conducted false and fraudulent wire 
14 || transfers totaling approximately $6.4 million and €7.1 million to 
15 |} bank accounts in Hong Kong, the United Kingdom, the United States, 
16 || and the Czech Republic. 
17 Cyber-Enabled Extortions and Ransomware 
18 Overt Act No. 13: On or before May 12, 2017, the hackers 
19 || authored the ransomware used in a global, destructive cyber-attack 
20 ||} known publicly as WannaCry Version 2. 
21 Overt Act No. 14: On June 29, 2017, having gained unauthorized 
22 [[access to a computer system at an earlier date and stolen 
23 ||} confidential customer information of the South Korean Cryptocurrency 
24 || Company, the hackers publicly released that information after the 
25 ||South Korean Cryptocurrency Company refused to pay a ransom of 
26 || approximately $16 million in cryptocurrency. 
27 Overt Act No. 15: On August 24, 2017, having gained 
28 || unauthorized access to a computer system of a victim company at an 
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1 || earlier date, the hackers deployed ransomware on the computer system 
2 and then extorted payments totaling approximately $100,000 in 

3 || cryptocurrency from the victim. 

4 Overt Act No. 16: On October 13, 2017, having gained 

5 || unauthorized access to the computer network of Central American 

6 [online Casino 1 at an earlier date and stolen its confidential 

7 || customer information, the hackers extorted payments totaling 

8 || approximately $2.3 million in cryptocurrency from Central American 

9 }}Online Casino 1. 

10 Overt Act No. 17: On November 2, 2017, having gained 

11 || unauthorized access to the computer network of Central American 

12 [f Online Casino 2 at an earlier date and stolen its confidential 

13 || customer information, the hackers extorted payments totaling 

14 || approximately $361,500 in cryptocurrency from Central American Online 
15 I Casino 2. 

16 Malicious Cryptocurrency Applications 

17 Overt Act No. 18: Beginning in March 2018, defendant JON CHANG 
18 || HYOK and other hackers sent electronic communications, including 

19 || spear-phishing messages, to numerous employees of cryptocurrency 
20 ||}exchanges. 
21 Overt Act No. 19: Beginning on or before May 15, 2018, 
22 || defendant JON CHANG HYOK and other hackers developed Celas Trade Pro, 
23 ||}which was purportedly cryptocurrency trading software, but which was, 
24 [[in reality, a malicious cryptocurrency application. 
25 Overt Act No. 20: Beginning on June 18, 2018, defendant JON 
26 || CHANG HYOK and other hackers sent electronic communications 
27 || advertising Celas Trade Pro to numerous employees of cryptocurrency 
28 || exchanges. 
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1 Overt Act No. 21: Beginning on or before October 11, 2018, 

2 || defendant JON CHANG HYOK and other hackers developed WorldBit-Bot, 

3 |}which was purportedly cryptocurrency trading software, but which was, 
4 fin reality, a malicious cryptocurrency application. 

5 Overt Act No. 22: Beginning on November 14, 2018, defendant 

6 || JON CHANG HYOK and other hackers sent electronic communications 

7 || advertising WorldBit-Bot to employees of cryptocurrency exchanges. 

8 Overt Act No. 23: Beginning on or before March 6, 2019, the 

9 || hackers developed iCryptoFx, which was purportedly a “Cryptocurrency 
10 || Algo-Trading Tool,” but which was, in reality, a malicious 

11 || eryptocurrency application. 

12 Overt Act No. 24: Beginning on April 27, 2019, defendant KIM 
13 || IL or another hacker created online accounts using false and 

14 || fraudulent personas for purported employees of iCryptoFx, which were 
15 || designed to make iCryptoFx appear to be a legitimate cryptocurrency 
16 || program. 

17 Overt Act No. 25: Beginning on or before June 4, 2019, 

18 || defendant JON CHANG HYOK and other hackers developed Union Crypto 

19 || Trader, which was purportedly a cryptocurrency trading software, but 
20 ||}which was, in reality, a malicious cryptocurrency application. 
21 Overt Act No. 26: On dates in April 2019 through July 2019, 
22 || defendant JON CHANG HYOK and other hackers created online accounts 
23 || using false and fraudulent personas for purported employees of Union 
24 || Crypto Trader, which were designed to make Union Crypto Trader appear 
25 |}to be legitimate. 
26 Overt Act No. 27: Beginning on or before February 21, 2020, 
27 || defendant JON CHANG HYOK and other hackers developed Kupay Wallet, 
28 
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which was purportedly cryptocurrency wallet software, but which was, 


in reality, a malicious cryptocurrency application. 
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Overt Act No. 28: Beginning on or before February 28, 2020, 











defendant JON CHANG HYOK and other hackers developed CoinGo Trade, 





which was purportedly cryptocurrency trading software, but which was, 
in reality, a malicious cryptocurrency application. 


Overt Act No. 29: In early March 2020, defendant JON CHANG 














HYOK or another hacker sent electronic communications advertising and 
encouraging the download of Kupay Wallet. 


Overt Act No. 30: In late March 2020, defendant JON CHANG HYOK 











or another hacker sent electronic communications advertising and 


encouraging the download of CoinGo Trade. 





Overt Act No. 31: Beginning on or before March 30, 2020, 











defendant JON CHANG HYOK and other hackers developed Dorusio, which 








was purportedly cryptocurrency wallet software, but which was, in 





reality, a malicious cryptocurrency application. 


Overt Act No. 32: On March 30, 2020, defendant JON CHANG HYOK 








or another hacker sent electronic communications advertising and 





encouraging the download of Dorusio. 


Overt Act No. 33: Beginning on or before May 6, 2020, 








defendant JON CHANG HYOK and other hackers developed CryptoNeuro 


Trader, which was purportedly cryptocurrency trading software, but 
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which was, in reality, a malicious cryptocurrency application. 


Overt Act No. 34: In late July 2020, defendant JON CHANG HYOK 











or another hacker sent electronic communications advertising and 


encouraging the download of CryptoNeuro Trader. 





Overt Act No. 35: Beginning on or before September 1, 2020, a 





conspirator or conspirators developed Ants2Whale, which was 
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purportedly cryptocurrency trading software, but which was, in 
reality, a malicious cryptocurrency application. 


Cryptocurrency Heists 








Overt Act No. 36: On December 4, 2017, a conspirator sent a 





spear-phishing communication to an employee of the Slovenian 
Cryptocurrency Company, which included a hyperlink that redirected 


the employee to download a file containing malware. 





Overt Act No. 37: On December 15, 2017, having gained 





unauthorized access to the computer network of the Slovenian 


Cryptocurrency Company at an earlier date, the hackers fraudulently 





transferred cryptocurrency, valued at approximately $75 million, from 


the wallets of the Slovenian Cryptocurrency Company. 





Overt Act No. 38: In March 2018 and April 2018, a conspirator 














sent spear-phishing communications to employees of the Indonesian 
Cryptocurrency Company. 


Overt Act No. 39: On September 27, 2018, having gained 








unauthorized access to the computer network of the Indonesian 





Cryptocurrency Company at an earlier date, the hackers fraudulently 





transferred cryptocurrency, valued at approximately $24.9 million, 








from the wallets of the Indonesian Cryptocurrency Company. 


Overt Act No. 40: On August 7, 2020, having gained 





unauthorized access to the computer network of the New York Financial 





Services Company at an earlier date by using the CryptoNeuro Trader 
malicious cryptocurrency application, and using that unauthorized 
access to steal data that they would later use to attempt to extort 


the New York Financial Services Company, the hackers fraudulently 








transferred cryptocurrency, valued at approximately $11.8 million, 








from the wallets of the New York Financial Services Company. 
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ATM Cash-Outs 





Overt Act No. 41: On October 27, 2018, having gained 








unauthorized access to the computer network of BankIslami, the 


hackers caused fraudulent ATM withdrawal requests to be approved, 





which caused requesting ATMs to dispense approximately $6.1 million 


to money-launderer coconspirators, including coconspirators acting at 





the direction of unindicted coconspirator Ghaleb Alaumary. 





Additional Spear-Phishing Campaigns 





Overt Act No. 42: Beginning in March 2016 and continuing 








through August 2016, conspirators sent numerous spear-phishing 





communications to employees of United States cleared defens 
contractors, energy companies, and aerospace companies. 


Overt Act No. 43: Beginning in February 2017 and continuing 








through May 2017, conspirators sent numerous spear-phishing 


communications to United States cleared defense contractors. 








Overt Act No. 44: In November 2019, conspirators sent spear- 





phishing communications to the employees of the United States 





Department of State. 





Overt Act No. 45: In January and February 2020, conspirators 





sent numerous spear-phishing communications to employees of the 





United States Department of State, the United States Department of 








Defense, and multiple United States technology companies. 
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COUNT TWO 
[18 U.S.C. © 1349] 


40. The Grand Jury re-alleges and incorporates paragraphs 1 








through 35 of the Introductory Allegations and Definitions of this 





A. 





Indictment. 





OBJECTS OF THE CONSPIRACY 








41. Beginning on a date unknown to the Grand Jury, but no later 








than September 28, 2009, and continuing through at least December 8, 





2020, in Los Angeles County, within the Central District of 








California, and elsewhere, defendants JON CHANG HYOK, KIM IL, and 

















PARK JIN HYOK, together with others known and unknown to the Grand 





Jury, knowingly conspired to commit the following offenses: 


a. wire fraud, in violation of Title 18, United States 


Code, Section 1343; and 


b. bank fraud, in violation of Title 18, United States 


Code, Section 1344(2). 
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B. 


THE MANNER AND MEANS OF THE CONSPIRACY 











42. The objects of the conspiracy were to be accomplished, in 


substance, as follows: 


a. The Grand Jury re-alleges and incorporates paragraphs 


38.a through 38.dd of Section B of Count One of this Indictment. 


a pl 





Marine Chain 

















b. Defendant KIM IL and other conspirators would develop 





lan to create a digital token called “Marine Chain Token,” which 





woul 





ld allow investors to purchase fractional ownership interests in 


marine shipping vessels, such as cargo ships, supported by a 


blockchain. 
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Cs Defendant KIM IL would contact individuals in 

















Singapore, whom defendant KIM IL knew from when he previously lived 








in Singapore, regarding potential involvement in creating Marine 





Chain. 

















d; Defendant KIM IL and other conspirators would, at 
other times, use false and fraudulent names when contacting 


individuals who they hoped would be involved in creating Marine 

















Chain. In those instances, defendant KIM IL and other conspirators 








would not disclose to these individuals that the conspirators were 








DPRK citizens or that they were communicating using false and 


fraudulent names. 
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e. Defendant KIM IL and other conspirators would raise 








funds for the Marine Chain platform through an ICO, which would, in 





part, entail communicating with potential investors using false and 


fraudulent names in order to convince them to invest in the Marine 














Chain platform. Defendant KIM IL and other conspirators would not 








disclose to these individuals that the conspirators were DPRK 








citizens or that they were communicating using false and fraudulent 
names. They also would not disclose to investors that a purpose of 
the Marine Chain Token was to evade United States sanctions on North 


Korea. 














f. Defendant KIM IL and other conspirators would attempt 





to receive approval from the Securities and Futures Commission of 


Hong Kong to trade the Marine Chain Token as a security. 














Ox Defendant KIM IL and other conspirators would tokenize 





individual vessels on the Marine Chain platform, allowing investors 
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to purchase ownership interests in marine shipping vessels. 
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2 Ca OVERT ACTS 

3 43. In furtherance of the conspiracy, and to accomplish its 

4 objects, defendants JON CHANG HYOK, KIM IL, and PARK JIN HYOK, 

5 I together with others known and unknown to the Grand Jury, on or about 

6 |ithe dates set forth below, committed and caused to be committed 

7 ||various overt acts, in the Central District of California and 

8 || elsewhere, including, but not limited to, the following: 

9 Overt Act Nos. 1-45: The Grand Jury re-alleges and incorporates 
10 fJovert Act Number 1 through Overt Act Number 45 of Section C of Count 
11 |}One of this Indictment here. 

12 Overt Act No. 46: Beginning no later than October 31, 2017, 
13 || defendant KIM IL and other conspirators communicated with each other 
14 || regarding development of Marine Chain. 

15 Overt Act No. 47: Beginning on November 28, 2017, while in 
16 || Russia, defendant KIM IL communicated with individuals in Singapore 
17 || about establishing Marine Chain. 

18 Overt Act No. 48: On May 1, 2018, defendant KIM IL sent a 

19 |} final business plan for Marine Chain to a conspirator. 
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FORFEITURE ALLEGATION ONE 






































2 [18 U.S.C. SS 982 and 1030] 
3 T Pursuant to Rule 32.2(a) of the Federal Rules of Criminal 
4 || Procedure, notice is hereby given that the United States will seek 
5 || forfeiture as part of any sentence, pursuant to Title 18, United 
6 | States Code, Sections 982(a) (2) and 1030(i), in the event of any 
7 || defendant’s conviction of the offense set forth in Count One of this 
8 |} Indictment. 
9 2 Any defendant so convicted shall forfeit to the United 
10 I States of America the following: 
11 a. All right, title, and interest in any and all 
12 || property, real or personal, constituting, or derived from, any 
13 || proceeds obtained, directly or indirectly, as a result of the 
14 || offense; 
15 b. Any property used or intended to be used to commit the 
16 offense; and 
17 Qa To the extent such property is not available for 
18 || forfeiture, a sum of money equal to the total value of the property 
19 || described in subparagraphs (a) and (b). 
20 3u Pursuant to Title 21, United States Code, Section 853 (p), 
21 [Jas incorporated by Title 18, United States Code, Sections 982 (b) (1) 
22 | and 1030 (i), any defendant so convicted shall forfeit substitute 
23 || property, up to the total value of the property described in the 
24 || preceding paragraph if, as the result of any act or omission of said 
25 [[defendant, the property described in the preceding paragraph, or any 
26 || portion thereof: (a) cannot be located upon the exercise of due 
27 [[diligence; (b) has been transferred, sold to or deposited with a 
28 [third party; (c) has been placed beyond the jurisdiction of the 
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court; (d) 


has been substantially diminished in value; 





Or 


(e) 


has 


been commingled with other property that cannot be divided without 


difficulty. 


jé 


NO 


WW 


A 


Oo 


Oy 


J 


oO 


WO 


ee] 


zá 


N 


(09) 


A 


Oo 


Oy 


J 


00 





WO 


20 


21 


22 


23 


24 


25 


26 


27 


28 





FORFEITURE ALLEGATION TWO 














[18 U.S.C. § 982] 

T Pursuant to Rule 32.2(a) of the Federal Rules of Criminal 
Procedure, notice is hereby given that the United States of America 
will seek forfeiture as part of any sentence, pursuant to Title 18, 


United States Code, Section 982 (a) (2), in the event of any 





defendant’s conviction of the offense set forth in Count Two of this 





Indictment. 

2 Any defendant so convicted shall forfeit to the United 
States of America the following: 
a. All right, title and interest in any and all property, 


real or personal, constituting, or derived from, any proceeds 





obtained, directly or indirectly, as a result of the offense; and 





Da To the extent such property is not available for 
forfeiture, a sum of money equal to the total value of the property 
described in subparagraph (a). 


sm Pursuant to Title 21, United States Code, Section 853 (p), 








as incorporated by Title 18, United States Code, Section 982 (b), any 
defendant so convicted shall forfeit substitute property, up to the 
total value of the property described in the preceding paragraph if, 
as the result of any act or omission of said defendant, the property 
described in the preceding paragraph, or any portion thereof: (a) 
cannot be located upon the exercise of due diligence; (b) has been 
transferred, sold to or deposited with a third party; (c) has been 
placed beyond the jurisdiction of the court; (d) has been 
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substantially diminished in value; or 


(e) has been commingled with 


other property that cannot be divided without difficulty. 
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EXHIBIT A 


JON CHANG HYOK, 


aka “Quan Jiang,” 


aka “Alex Jiang” 


v= 
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EXHIBIT B 





KIM 











L, 


aka “Julien Kim,” 


aka “Tony Walker” 
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EXHI 


BIT C 


PARK J] 





IN HYOK, 


aka “Jin Hyok Park,” 


aka “Pak 


aka “Pak 


Jin Hek,” 


Kwang Jin” 





